phil/ezidam
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refresh_tokens: add app inside each refresh token

Browse source
This commit is contained in:
Philippe Loctaux 2023-04-02 01:10:27 +02:00
parent 2caf584cb7
commit 956f28f7e5
11 changed files with 109 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

1
crates/database/migrations/20230318135414_refresh_tokens.up.sql
View file

@ -4,6 +4,7 @@ create table if not exists refresh_tokens
token TEXT not null primary key,
ip_address TEXT not null,
user TEXT not null references users (id),
app TEXT not null references apps (id),
-- timings
created_at TEXT not null default CURRENT_TIMESTAMP,

1
crates/database/queries/refresh_tokens/get_one.sql
View file

@ -3,6 +3,7 @@ select
token,
ip_address,
user,
app,
-- timings
created_at as "created_at: DateTime<Utc>",

4
crates/database/queries/refresh_tokens/insert.sql
View file

@ -1,2 +1,2 @@
insert into refresh_tokens (token, ip_address, user, expires_at)
values (?, ?, ?, datetime(?, 'unixepoch'))
insert into refresh_tokens (token, ip_address, user, app, expires_at)
values (?, ?, ?, ?, datetime(?, 'unixepoch'))

134
crates/database/sqlx-data.json
View file

@ -100,6 +100,66 @@
},
"query": "update apps\n\nset secret = ?\n\nwhere id is ?"
},
"37681902a5f5d87492812a525a6488e75d20c1c436a3ba2c5aa3f54da62fe861": {
"describe": {
"columns": [
{
"name": "token",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "ip_address",
"ordinal": 1,
"type_info": "Text"
},
{
"name": "user",
"ordinal": 2,
"type_info": "Text"
},
{
"name": "app",
"ordinal": 3,
"type_info": "Text"
},
{
"name": "created_at: DateTime<Utc>",
"ordinal": 4,
"type_info": "Text"
},
{
"name": "expires_at: DateTime<Utc>",
"ordinal": 5,
"type_info": "Text"
},
{
"name": "used_at: DateTime<Utc>",
"ordinal": 6,
"type_info": "Text"
},
{
"name": "revoked_at: DateTime<Utc>",
"ordinal": 7,
"type_info": "Text"
}
],
"nullable": [
false,
false,
false,
false,
false,
false,
true,
true
],
"parameters": {
"Right": 1
}
},
"query": "select\n -- info\n token,\n ip_address,\n user,\n app,\n\n -- timings\n created_at as \"created_at: DateTime<Utc>\",\n expires_at as \"expires_at: DateTime<Utc>\",\n used_at as \"used_at: DateTime<Utc>\",\n revoked_at as \"revoked_at: DateTime<Utc>\"\nfrom refresh_tokens\n\nwhere token is (?)"
},
"3c8e31ffa5cbfd4dded8a272777cb320fb51fd2e53ed25054d24e9801df0c358": {
"describe": {
"columns": [],
@ -468,70 +528,6 @@
},
"query": "insert into authorization_codes (code, app, user, expires_at)\nvalues (?, ?, ?, datetime(?, 'unixepoch'))\n"
},
"a7405a0479b551ce8e3ea7451fd781214e049a0f12551146ace1e9a2f2f0c06d": {
"describe": {
"columns": [
{
"name": "token",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "ip_address",
"ordinal": 1,
"type_info": "Text"
},
{
"name": "user",
"ordinal": 2,
"type_info": "Text"
},
{
"name": "created_at: DateTime<Utc>",
"ordinal": 3,
"type_info": "Text"
},
{
"name": "expires_at: DateTime<Utc>",
"ordinal": 4,
"type_info": "Text"
},
{
"name": "used_at: DateTime<Utc>",
"ordinal": 5,
"type_info": "Text"
},
{
"name": "revoked_at: DateTime<Utc>",
"ordinal": 6,
"type_info": "Text"
}
],
"nullable": [
false,
false,
false,
false,
false,
true,
true
],
"parameters": {
"Right": 1
}
},
"query": "select\n -- info\n token,\n ip_address,\n user,\n\n -- timings\n created_at as \"created_at: DateTime<Utc>\",\n expires_at as \"expires_at: DateTime<Utc>\",\n used_at as \"used_at: DateTime<Utc>\",\n revoked_at as \"revoked_at: DateTime<Utc>\"\nfrom refresh_tokens\n\nwhere token is (?)"
},
"aa88eb27d38ba4cfb539e4b4d7a86770c24221109e8fcc188a7d38f41e674817": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Right": 4
}
},
"query": "insert into refresh_tokens (token, ip_address, user, expires_at)\nvalues (?, ?, ?, datetime(?, 'unixepoch'))\n"
},
"aae93a39c5a9f46235b5ef871b45ba76d7efa1677bfe8291a62b8cbf9cd9e0d5": {
"describe": {
"columns": [],
@ -542,6 +538,16 @@
},
"query": "update settings\n\nset first_admin = ?\n\nwhere id is 0\n"
},
"b3936ae237f02cc048ca084372f7975921c79aef8fcd6d15a4d63c10f2377d24": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Right": 5
}
},
"query": "insert into refresh_tokens (token, ip_address, user, app, expires_at)\nvalues (?, ?, ?, ?, datetime(?, 'unixepoch'))\n"
},
"b652e67e8e1cd0e2b55c830c5569eb1c6caf73857215b4298265cce5c5462902": {
"describe": {
"columns": [

3
crates/database/src/tables/refresh_tokens.rs
View file

@ -9,6 +9,7 @@ pub struct RefreshTokens {
pub token: String,
pub ip_address: String,
pub user: String,
pub app: String,
// Timings
pub created_at: DateTime<Utc>,
@ -23,6 +24,7 @@ impl RefreshTokens {
token: &str,
ip_address: &str,
user: &str,
app: &str,
expires_at: i64,
) -> Result<Option<()>, Error> {
let query: SqliteQueryResult = sqlx::query_file!(
@ -30,6 +32,7 @@ impl RefreshTokens {
token,
ip_address,
user,
app,
expires_at
)
.execute(conn)

1
crates/ezidam/src/guards/jwt.rs
View file

@ -275,6 +275,7 @@ pub async fn use_refresh_token(
new_refresh_token.as_ref(),
ip_address,
user.id(),
refresh_token.app(),
REFRESH_TOKEN_DURATION_DAYS,
)
.await

8
crates/ezidam/src/routes/admin/settings.rs
View file

@ -120,7 +120,13 @@ pub async fn settings_security_form(
RefreshToken::revoke_all(&mut transaction).await?;
// Generate refresh token
generate_refresh_token(&mut transaction, ip_address, user.id(), cookie_jar)
generate_refresh_token(
&mut transaction,
ip_address,
user.id(),
app.id(),
cookie_jar,
)
.await
.map_err(Error::internal_server_error)?;

8
crates/ezidam/src/routes/oauth/redirect.rs
View file

@ -79,7 +79,13 @@ pub async fn redirect_page(
// TODO: refactor for "code" route
// Generate refresh token
generate_refresh_token(&mut transaction, ip_address, user.id(), cookie_jar)
generate_refresh_token(
&mut transaction,
ip_address,
user.id(),
app.id(),
cookie_jar,
)
.await
.map_err(Error::internal_server_error)?;

4
crates/ezidam/src/tokens.rs
View file

@ -1,5 +1,5 @@
use hash::SecretString;
use id::UserID;
use id::{AppID, UserID};
use jwt::{JwtClaims, PrivateKey};
use refresh_tokens::RefreshToken;
use rocket::http::{Cookie, CookieJar, SameSite};
@ -16,6 +16,7 @@ pub async fn generate_refresh_token(
conn: impl SqliteExecutor<'_>,
ip_address: IpAddr,
user_id: &UserID,
app_id: &AppID,
cookie_jar: &CookieJar<'_>,
) -> Result<(), String> {
// Generate refresh token
@ -29,6 +30,7 @@ pub async fn generate_refresh_token(
refresh_token.as_ref(),
ip_address.to_string(),
user_id,
app_id,
REFRESH_TOKEN_DURATION_DAYS,
)
.await

5
crates/refresh_tokens/src/database.rs
View file

@ -3,7 +3,7 @@ use crate::RefreshToken;
use chrono::{Duration, Utc};
use database::sqlx::SqliteExecutor;
use database::RefreshTokens as DatabaseRefreshTokens;
use id::UserID;
use id::{AppID, UserID};
impl From<DatabaseRefreshTokens> for RefreshToken {
fn from(db: DatabaseRefreshTokens) -> Self {
@ -12,6 +12,7 @@ impl From<DatabaseRefreshTokens> for RefreshToken {
token: db.token,
ip_address: db.ip_address,
user: UserID(db.user),
app: AppID(db.app),
// Timings
created_at: db.created_at,
@ -28,6 +29,7 @@ impl RefreshToken {
token: &str,
ip_address: String,
user: &UserID,
app: &AppID,
duration_days: i64,
) -> Result<Option<()>, Error> {
let expires_at = Utc::now() + Duration::days(duration_days);
@ -37,6 +39,7 @@ impl RefreshToken {
token,
ip_address.as_str(),
user.as_ref(),
app.as_ref(),
expires_at.timestamp(),
)
.await?)

7
crates/refresh_tokens/src/lib.rs
View file

@ -2,7 +2,7 @@ mod database;
mod error;
use chrono::{DateTime, Utc};
use id::UserID;
use id::{AppID, UserID};
pub use crate::error::Error;
@ -12,6 +12,7 @@ pub struct RefreshToken {
token: String,
ip_address: String,
user: UserID,
app: AppID,
// Timings
created_at: DateTime<Utc>,
@ -36,4 +37,8 @@ impl RefreshToken {
pub fn user(&self) -> &UserID {
&self.user
}
pub fn app(&self) -> &AppID {
&self.app
}
}